Mon Jul 30 02:09:32 CEST 2012
Running your own Tor wireless network
Sometimes you just want to provide a completely open wireless network for poor lost souls passing by your neighborhood in search of a way back home. Or for guests you don't necessarily want to give direct access to your internal network, since you cannot fully trust them to still respect a code of conduct at the end of your party.
In some legislations, it's completely acceptable to operate an open wireless network which everybody can access. However, in other legislations, it may not be legal to do so. Germany, for example, will hold you liable for any illegal activity performed from your open wireless network.
Legally, there's not much you can do there. The procedure outlined in this blog entry will make it less likely that abusers of your wireless networks can be traced back to you. So this is not a legal advise to use this procedure, in fact it is strongly discouraged. But in case you're curious, this is how it works.
Requirements
To implement such an anonymized wireless network, you will need a few things:
- A wireless access point which supports 802.11 networking
- A router behind your access point
- The following software packages:
- tor — Anonymizing overlay network for TCP
- privoxy (optional) — Web proxy with advanced filtering capabilities
- redsocks — Redirect any TCP connection to a SOCKS or HTTPS proxy server
- ISC DHCP server — ISC DHCP server for automatic IP address assignment
Setting up Tor with transparent DNS
As a first step, you will of course need to set up Tor on your router. The important settings are (replace 192.168.1.1 with the IP address of your router in the wireless VLAN):
SocksPort 9050 # Start a socks4a proxy on port
9050
SocksListenAddress 192.168.1.1:9050 # Listen only on the wireless
interface
SocksPolicy accept 192.168.0.0/16 # Permit only connections from
the local network
SocksPolicy reject * # Reject everything else
RunAsDaemon 1 # Run detached and continuously
DNSPort 9053 # Relay DNS queries through the Tor network on port
9053
DNSListenAddress 192.168.1.1:9053 # … and open it only to the
wireless network
AutomapHostsOnResolve 1 # Use local addresses to map .onion or
.exit destinations in DNS
AutomapHostsSuffixes .exit,.onion # Send .exit and .onion to the
mapped addresses
# The following line is very important. Since we're using Tor
separately # for DNS, we'll get swamped in error messages saying
we're connecting to # an IP, not a name, and that we may leak DNS
queries. We clearly won't, # since we're using Tor for DNS.
WarnUnsafeSocks 0
[… Regular Tor configuration …]
Once this is done, you should be able to connect to port 9050 on your router and send traffic through the Tor network. Now you need to redirect all incoming DNS traffic to port 9053. Under Linux, the corresponding iptables rule is (replace eth6 with your wireless network interface):
% iptables -t nat -A PREROUTING -i eth6 -p udp
-m udp --dport 53 -j REDIRECT --to-ports 9053
You will only need to permit traffic to port 9053 then:
% iptables -A INPUT -d 192.168.1.1/32 -i eth6
-p udp -m udp --dport 9053 -j ACCEPT
% iptables -A INPUT -i eth6 -j REJECT --reject-with
icmp-admin-prohibited
% iptables -A OUTPUT -s 192.168.1.1/32 -o eth6 -p udp -m udp
--sport 9053 -j ACCEPT
% iptables -A OUTPUT -o eth6 -j REJECT --reject-with
icmp-admin-prohibited
Now you'll only be able to send traffic to port 53 of your router and nowhere else in the world. We'll fix that in the next section.
Sending TCP traffic to Tor transparently
Now you need to play some tricks so your network traffic is actually going to Tor without using Socks explicitly. The redsocks package provides such functionality: it's a transparent network listener which redirects traffic to a Socks proxy.
The setup is relatively straightforward, but you can only redirect the capture for TCP because Tor doesn't support UDP traffic. So in a nutshell, the configuration looks like this:
base {
log_debug = off;
log_info = on;
log = "syslog:daemon";
daemon = on;
user = redsocks;
group = redsocks;
redirector = iptables; // If not Linux, use something else.
}
redsocks {
local_ip = 192.168.1.1;
local_port = 12345;
ip = 192.168.1.1;
port = 9050;
type = socks4;
}
Now we need to use our firewalls again to get all traffic to flow through redsocks:
% iptables -t nat -A PREROUTING -i eth6 ! -d
192.168.1.1/32 -p tcp -j REDIRECT --to-ports 12345
% iptables -I INPUT -d 192.168.1.1/32 -i eth6 -p tcp -m tcp --dport
12345 -j ACCEPT
% iptables -I OUTPUT -s 192.168.1.1/32 -o eth6 -p tcp -m tcp
--sport 12345 -j ACCEPT
It's very important that you exempt traffic going to your router from this so we can still make connections to the services sensibly. All the other traffic is now going to flow through your Tor router.
Optional: clean HTTP traffic of requester patterns
You may want to purge all kinds of information about the original requester from any HTTP traffic going through your wireless as well. HTTP is one of the most important protocols nowadays, and every request has the potential of leaking information about you and your users. privoxy is an HTTP proxy especially designed for this.
The gain is only partial, as you obviously cannot filter HTTPS requests. But it's a start. The config for privoxy must contain:
listen-address 192.168.1.1:8118
permit-access 192.168.0.0/16
forward-socks4a / 192.168.1.1:9050 .
accept-intercepted-requests 1 # Very important: do transparent
filtering
connection-sharing 1 # We don't want to put more load on Tor as
necessary
Now take the traffic to port 80 and send it to privoxy:
% iptables -I PREROUTING -i eth6 -p tcp -m tcp
--dport 80 -j REDIRECT --to-ports 8118
% iptables -I INPUT -d 192.168.1.1/32 -i eth6 -p tcp -m tcp --dport
8118 -j ACCEPT
% iptables -I OUTPUT -s 192.168.1.1/32 -o eth6 -p tcp -m tcp
--sport 8118 -j ACCEPT
Now you cannot have non-HTTP connections to port 80 anymore, but your HTTP traffic gets cleaned from information you wouldn't want to leak.
Client configuration using DHCP
Now you need to automatically configure clients on your Tor network. Typically, Route Advertisements would be used for that nowadays, but Tor doesn't support IPv6 yet (which you may have noticed when you tried to resolve AAAA records through Tor). So, you're back to good old DHCP.
The important parts of the DHCP configuration:
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
option routers 192.168.1.1;
option domain-name "tor.example.com";
option domain-search "example.com", "tor.example.com";
option domain-name-servers 192.168.1.1;
}
The piece that's missing here now is the access from the Tor network to the DHCP server, and that's easy: DHCP always sends requests from the bootpc port to the bootps port, either from 0.0.0.0 to 255.255.255.255 or from the server IP (192.168.1.1) to the client (192.168.1.0/24). So the rules are:
% iptables -I INPUT -p udp -m udp -s 0.0.0.0/32
--sport 68 -d 255.255.255.255/32 --dport 67 -j ACCEPT
% iptables -I INPUT -p udp -m udp -s 192.168.1.0/24 --sport 68 -d
192.168.1.1/32 --dport 67 -j ACCEPT
% iptables -I OUTPUT -p udp -m udp -s 255.255.255.255/32 --sport 67
-d 0.0.0.0/32 --dport 68 -j ACCEPT
% iptables -I OUTPUT -p udp -m udp -s 192.168.1.1/32 --sport 67 -d
192.168.1.0/24 --dport 68 -j ACCEPT
Make the configuration permanent
The last thing you'll need to do is to save the configuration to disk so it can be loaded again on the next reboot. There are different ways to do that on different operating systems and distributions. Under BSD, you will already have the configuration in your pf.conf.
If you're using Linux and iptables, one way would be to attempt
% /etc/init.d/iptables save
Debian doesn't have this facility, but you can write the rules file directly:
% iptables-save > /etc/iptables/rules
Most distributions have some kind of rules file like this. Find it, write it, be done with it. There's your transparent Tor wireless!
Testing
The only thing that's left now is testing: take your laptop, join the Tor wireless network, and navigate your browser to whatismyipaddress.com or something like that. You should see an IP which is completely different from your own one.